Need to permanently trust a certificate

New Contributor

We have a profile that pushes a network certificate for wireless. The profile policy has set limitations so it will only pull a certificate when it is on campus. Our certificate server is on-site so I didn't want the profile failing when they are off-site, hence the limitations. This part is working great.

The problem is that now when that computer is off-site and checks in with Jamf, Jamf is pulling the profile. So when they come back on campus they can not reconnect to the network because the profile is not there to verify the certificate. So they have to connect to the gated garden and re-pull the profile and end up pulling a new certificate. Each laptop is pulling its own certificate specific to it.

Does anyone have any ideas on how I can fix this?


Contributor III

For 802.3x authentication Apple interprets (correctly) the relevant standards as requiring the user to be prompted about the certificate regardless of its trust status, unless the entire login is automated with stored credentials. Thus you're out of luck avoiding the certificate prompt to get on Wi-Fi.

Ideas that come to mind:

  • Could the certificate be issued by policy instead of an MDM push? This would avoid it getting revoked by falling out of scope
  • Would it be possible to have the certificate issued as part of a Self Service process that could provide warning not to run it while off campus and thus be left in scope off campus?
  • Could the certificate be included in the prestage of an ADE/DEP enrollment?
  • Could you get wireless to start trusting the certs that the JSS itself issues?

Contributor III

Have you considered issuing the certificate via SCEP proxy so it can be delivered everywhere? If you do it this way, you won't have to limit the scope and it shouldn't get removed after it's been deployed.